Log In

Hardware hack grants remote persistent password bypassing

Modified disks can throw errors to prevent wholesale data copying.

Attackers could gain persistent access to machines by hacking hardware HD controllers, a researcher has found.

The technical attack to be presented at the Breakpoint conference in Melbourne tomorrow focused on "mysterious" hard disk controllers which hardware hacker Jeroen Domburg (@SpritesMods) reverse-engineered to alter the firmware which ran on the processors.

In a demonstration on a previously compromised web server at the OMH2013 conference in the US, Domburg was able to remotely set an authentication password and flush a cached shadow file.

"A hypothetical attacker could own a box by using an exploit to gain root access on it, then reading the firmware from the hard disk, modifying it and writing it back again," Domburg said.

If the victim then reinstalled a clean operating system and patched any vulnerabilities, they could still be compromised from the hardware.

"The attacker has just modified the hard disk firmware and the hardware is looking for a specific magic string [which] when written to the hard disk enables a bit of code," he said.

"If [the target] is a web server, [an attacker] can request a URL with the trigger string in it which eventually ends up in the webserver's log files and is then written to the hard disk ... it will then activate the bit of code and every time it sees etc/shadow (which keeps tabs on user passwords) the hardware will modify it to something the attacker has set earlier."

The machine, Domburg said, was then "completely reowned".

But disks with such modified firmware could be used for harmless purposes including creating storage that cannot be copied in a linear fashion -- which would grant access to an operating system but not users attempting to harvest files -- or it could be used as a universal SATA client.

All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.Your use of this website
constitutes acceptance of nextmedia's Privacy Policy and
Terms & Conditions.